Analysis
-
max time kernel
151s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 10:02
Static task
static1
Behavioral task
behavioral1
Sample
1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
Resource
win10v2004-20220812-en
General
-
Target
1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
-
Size
1.8MB
-
MD5
ea782275c1bb27082a299dc3cf210dde
-
SHA1
3e1237d9965a5fce404154cd3a8583da6a3312a4
-
SHA256
1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df
-
SHA512
4a19dd7de63fd17df99a7552d206d5eb4a0d3a12ebe79cf24c580ca88ed4e9c18e3fdb795154899becba4e87ac85b9952493d6326e6ef66f86004f0c0883c244
-
SSDEEP
49152:PKxsFoq3ZDUcvA0YzmPfndN4HKcw0aUBT2N:P8sRJJYzm3f4HQEBT
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\XqQGfoEYUveg.exe\",explorer.exe" 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe -
Executes dropped EXE 4 IoCs
Processes:
tXbgtnOaTpRBuhE5.exehOQgxZXr8DVXNG3f.exetXbgtnOaTpRBuhE5.exetXbgtnOaTpRBuhE5.exepid process 1108 tXbgtnOaTpRBuhE5.exe 1180 hOQgxZXr8DVXNG3f.exe 1328 tXbgtnOaTpRBuhE5.exe 928 tXbgtnOaTpRBuhE5.exe -
Loads dropped DLL 4 IoCs
Processes:
1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exetXbgtnOaTpRBuhE5.exepid process 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe 1108 tXbgtnOaTpRBuhE5.exe 1108 tXbgtnOaTpRBuhE5.exe 1108 tXbgtnOaTpRBuhE5.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
tXbgtnOaTpRBuhE5.exetXbgtnOaTpRBuhE5.exe1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\eHSlRWmUQJ5T.exe" tXbgtnOaTpRBuhE5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Microsoft.exe" tXbgtnOaTpRBuhE5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Local\\Windows\\Windows.exe" 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exetXbgtnOaTpRBuhE5.exedescription pid process target process PID 1848 set thread context of 1976 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe PID 1108 set thread context of 928 1108 tXbgtnOaTpRBuhE5.exe tXbgtnOaTpRBuhE5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exetXbgtnOaTpRBuhE5.exepid process 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe 1108 tXbgtnOaTpRBuhE5.exe 1108 tXbgtnOaTpRBuhE5.exe 1108 tXbgtnOaTpRBuhE5.exe 1108 tXbgtnOaTpRBuhE5.exe 1108 tXbgtnOaTpRBuhE5.exe 1108 tXbgtnOaTpRBuhE5.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exetXbgtnOaTpRBuhE5.exepid process 1976 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe 928 tXbgtnOaTpRBuhE5.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exetXbgtnOaTpRBuhE5.exetXbgtnOaTpRBuhE5.exedescription pid process Token: SeDebugPrivilege 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe Token: SeDebugPrivilege 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe Token: SeDebugPrivilege 1976 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe Token: SeDebugPrivilege 1108 tXbgtnOaTpRBuhE5.exe Token: SeDebugPrivilege 1108 tXbgtnOaTpRBuhE5.exe Token: SeDebugPrivilege 928 tXbgtnOaTpRBuhE5.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exetXbgtnOaTpRBuhE5.exepid process 1976 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe 928 tXbgtnOaTpRBuhE5.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exetXbgtnOaTpRBuhE5.exedescription pid process target process PID 1848 wrote to memory of 1108 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe tXbgtnOaTpRBuhE5.exe PID 1848 wrote to memory of 1108 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe tXbgtnOaTpRBuhE5.exe PID 1848 wrote to memory of 1108 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe tXbgtnOaTpRBuhE5.exe PID 1848 wrote to memory of 1108 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe tXbgtnOaTpRBuhE5.exe PID 1848 wrote to memory of 1976 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe PID 1848 wrote to memory of 1976 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe PID 1848 wrote to memory of 1976 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe PID 1848 wrote to memory of 1976 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe PID 1848 wrote to memory of 1976 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe PID 1848 wrote to memory of 1976 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe PID 1848 wrote to memory of 1976 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe PID 1848 wrote to memory of 1976 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe PID 1848 wrote to memory of 1976 1848 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe PID 1108 wrote to memory of 1180 1108 tXbgtnOaTpRBuhE5.exe hOQgxZXr8DVXNG3f.exe PID 1108 wrote to memory of 1180 1108 tXbgtnOaTpRBuhE5.exe hOQgxZXr8DVXNG3f.exe PID 1108 wrote to memory of 1180 1108 tXbgtnOaTpRBuhE5.exe hOQgxZXr8DVXNG3f.exe PID 1108 wrote to memory of 1180 1108 tXbgtnOaTpRBuhE5.exe hOQgxZXr8DVXNG3f.exe PID 1108 wrote to memory of 1328 1108 tXbgtnOaTpRBuhE5.exe tXbgtnOaTpRBuhE5.exe PID 1108 wrote to memory of 1328 1108 tXbgtnOaTpRBuhE5.exe tXbgtnOaTpRBuhE5.exe PID 1108 wrote to memory of 1328 1108 tXbgtnOaTpRBuhE5.exe tXbgtnOaTpRBuhE5.exe PID 1108 wrote to memory of 1328 1108 tXbgtnOaTpRBuhE5.exe tXbgtnOaTpRBuhE5.exe PID 1108 wrote to memory of 928 1108 tXbgtnOaTpRBuhE5.exe tXbgtnOaTpRBuhE5.exe PID 1108 wrote to memory of 928 1108 tXbgtnOaTpRBuhE5.exe tXbgtnOaTpRBuhE5.exe PID 1108 wrote to memory of 928 1108 tXbgtnOaTpRBuhE5.exe tXbgtnOaTpRBuhE5.exe PID 1108 wrote to memory of 928 1108 tXbgtnOaTpRBuhE5.exe tXbgtnOaTpRBuhE5.exe PID 1108 wrote to memory of 928 1108 tXbgtnOaTpRBuhE5.exe tXbgtnOaTpRBuhE5.exe PID 1108 wrote to memory of 928 1108 tXbgtnOaTpRBuhE5.exe tXbgtnOaTpRBuhE5.exe PID 1108 wrote to memory of 928 1108 tXbgtnOaTpRBuhE5.exe tXbgtnOaTpRBuhE5.exe PID 1108 wrote to memory of 928 1108 tXbgtnOaTpRBuhE5.exe tXbgtnOaTpRBuhE5.exe PID 1108 wrote to memory of 928 1108 tXbgtnOaTpRBuhE5.exe tXbgtnOaTpRBuhE5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe"C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe"C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe"C:\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe"3⤵
- Executes dropped EXE
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe"C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe" Microsoft3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:928 -
C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe"C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe" Microsoft3⤵
- Executes dropped EXE
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe"C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe" Windows2⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
131KB
MD5af9e24849dec91baa236d309b6fc54df
SHA16effffed3f777e7fe33396430cde07752b50bae6
SHA25682c13bcdcf40d251835cf5792b75f919c8c90e88755beeacd0769cad798cebce
SHA5121318f8ea1ff63fcd20d10b62a1a33fa77f1625eab6c18d39942e8536e3857fdc001d50fd3e30810cb85bdce77364a9c2b82a8260e0ee7b3650e5b50b262e804c
-
Filesize
131KB
MD5af9e24849dec91baa236d309b6fc54df
SHA16effffed3f777e7fe33396430cde07752b50bae6
SHA25682c13bcdcf40d251835cf5792b75f919c8c90e88755beeacd0769cad798cebce
SHA5121318f8ea1ff63fcd20d10b62a1a33fa77f1625eab6c18d39942e8536e3857fdc001d50fd3e30810cb85bdce77364a9c2b82a8260e0ee7b3650e5b50b262e804c
-
Filesize
852KB
MD55e8c019883c1c5bd0fdac3663a863e94
SHA1ad53d21c86af70b7fc791f5879f578758aa04525
SHA25606eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA5121a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716
-
Filesize
852KB
MD55e8c019883c1c5bd0fdac3663a863e94
SHA1ad53d21c86af70b7fc791f5879f578758aa04525
SHA25606eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA5121a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716
-
Filesize
852KB
MD55e8c019883c1c5bd0fdac3663a863e94
SHA1ad53d21c86af70b7fc791f5879f578758aa04525
SHA25606eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA5121a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716
-
Filesize
852KB
MD55e8c019883c1c5bd0fdac3663a863e94
SHA1ad53d21c86af70b7fc791f5879f578758aa04525
SHA25606eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA5121a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716
-
Filesize
102B
MD5dde407053cdc227c356ae66057f6e504
SHA137a4ca31e740dcd1f5123a07204a6fed6129d06e
SHA2562fa2b2e2f851fed61c02226e2ad61cbf59e9a22a40957f2c08979ef63aed6804
SHA512056bbe44690a39a47e2800a487ce7aa680a317b2d5b597dd4a82261d522cb466013125bf79217eef2b75b6eac0e2fd3c947552561bfddc33dacf0fdbb0a8434b
-
Filesize
139B
MD50e2f41946322391a5eea51b31ff9d4a0
SHA101697c4201d9f5d6f9b95456a53cb32e238b1cea
SHA256f98fec983593f98ba6c41e21134bc563ea199886646640ad11874cbcf5f69d97
SHA5123972b0f9a0e1a98e7873b0a1a615b74af93b4bf7cb62ab7c6959094a547f61ea00a5e8854b909d5c1ae8e609259324422567685f8a8c21db54968f1a0cb29366
-
Filesize
131KB
MD5af9e24849dec91baa236d309b6fc54df
SHA16effffed3f777e7fe33396430cde07752b50bae6
SHA25682c13bcdcf40d251835cf5792b75f919c8c90e88755beeacd0769cad798cebce
SHA5121318f8ea1ff63fcd20d10b62a1a33fa77f1625eab6c18d39942e8536e3857fdc001d50fd3e30810cb85bdce77364a9c2b82a8260e0ee7b3650e5b50b262e804c
-
Filesize
852KB
MD55e8c019883c1c5bd0fdac3663a863e94
SHA1ad53d21c86af70b7fc791f5879f578758aa04525
SHA25606eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA5121a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716
-
Filesize
852KB
MD55e8c019883c1c5bd0fdac3663a863e94
SHA1ad53d21c86af70b7fc791f5879f578758aa04525
SHA25606eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA5121a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716
-
Filesize
852KB
MD55e8c019883c1c5bd0fdac3663a863e94
SHA1ad53d21c86af70b7fc791f5879f578758aa04525
SHA25606eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA5121a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716